This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to capture all control and mgmt packets?

0

I'm capturing with tcpdump and also via the wireshark gui. The dropped packets is 0 but I can clearly see that some clear-to-send / request-to-send and link layer ACK packets are missing. any idea why? I tried to increase the buffer to 100MB to see if it would help but no success.

asked 06 Sep '11, 15:19

ddayan's gravatar image

ddayan
41151720
accept rate: 0%

do you see any wireless packets (display filter "wlan") ?

(06 Sep '11, 23:44) Landi

yea I can see most of the packets, but its clear that some are missing. for an example when I see a clear to send request made from my machine but I dont see a request to send packet. or when I can see that some packets dont have ACK packets but they are not retransmitted so I know the packet was acknowledged.

(07 Sep '11, 03:51) ddayan

what is your capture setup then, do you capture your own machines traffic with a sniffer running on the very same machine (same NIC) or do you use another wireless card or even 2nd device to capture the traffic? Also, which tool do you use to capture and which specs (frequency, channel(s), 802.11a/b/g/n?)

(07 Sep '11, 05:05) Landi

I'm capturing using the same NIC, its a Pentium 4 (1.4Ghz) laptop using atheros card and the ath5k driver, OS: backtrack 5 (Linux).

To capture 1) I make a monitor interface using airmon-ng 2) I start capturing using tcpdump(tcpdump -nvvXSs 1514 -i mon0 -w packet_dump) or wireshark
3) I connect to an AP.

I didn't find how I can set the capture to a certain frequency/channel

(07 Sep '11, 05:56) ddayan

One Answer:

4

Two things here:

  1. If you're going to capture your own traffic you should not use the same NIC, because in most cases you can either send or recieve frames with your wireless adapter which in most cases resolves in you not getting all of your own packets
  2. You should also limit your channel(s) to the one's you are working on in order to prevent your wireless driver from hopping through some other channels and thereby missing packets. Put your NIC in monitor mode with airmon-ng start <whatever> and give it a channel number - see aircrack-ng docs for details and command flags.

answered 07 Sep '11, 07:16

Landi's gravatar image

Landi
2.3k51442
accept rate: 28%

From my understanding if you listen from the same card the outgoing packets are delivered from the driver not by listening to the channel (i.e. the driver sends the packet and stores a copy locally). However I captured with another laptop and I can more acknowledgments now. Thanks!

(08 Sep '11, 05:42) ddayan

True, I myself don't exactly know where the driver captures the packets on wireless NICs, but from what I've experienced while capturing wireless frames it was never a good idea to rely on the same machine sending and monitoring stuff - anyways, good that it seems to work know. Good luck

(08 Sep '11, 06:49) Landi